Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe
Resource
win7-20241010-en
General
-
Target
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe
-
Size
212KB
-
MD5
f57c2b72ee75c357a12ce03a08be95b8
-
SHA1
c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249
-
SHA256
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2
-
SHA512
59123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da
-
SSDEEP
3072:qeJLLpTnq5URrqNqYd31LgpI01TEr4J6anBbkPzHM38ad:zLLpThR4qYh1UG01TEr4nWw38s
Malware Config
Extracted
amadey
3.50
0237fa
http://193.56.146.194
-
install_dir
50c1695437
-
install_file
rovwer.exe
-
strings_key
b6d412dd2efdf33d84e939e52040748f
-
url_paths
/h49vlBP/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 4 IoCs
pid Process 1976 rovwer.exe 2628 rovwer.exe 1728 rovwer.exe 956 rovwer.exe -
Loads dropped DLL 2 IoCs
pid Process 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rovwer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2424 schtasks.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1976 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 31 PID 2356 wrote to memory of 1976 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 31 PID 2356 wrote to memory of 1976 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 31 PID 2356 wrote to memory of 1976 2356 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 31 PID 1976 wrote to memory of 2424 1976 rovwer.exe 32 PID 1976 wrote to memory of 2424 1976 rovwer.exe 32 PID 1976 wrote to memory of 2424 1976 rovwer.exe 32 PID 1976 wrote to memory of 2424 1976 rovwer.exe 32 PID 2800 wrote to memory of 2628 2800 taskeng.exe 36 PID 2800 wrote to memory of 2628 2800 taskeng.exe 36 PID 2800 wrote to memory of 2628 2800 taskeng.exe 36 PID 2800 wrote to memory of 2628 2800 taskeng.exe 36 PID 2800 wrote to memory of 1728 2800 taskeng.exe 37 PID 2800 wrote to memory of 1728 2800 taskeng.exe 37 PID 2800 wrote to memory of 1728 2800 taskeng.exe 37 PID 2800 wrote to memory of 1728 2800 taskeng.exe 37 PID 2800 wrote to memory of 956 2800 taskeng.exe 39 PID 2800 wrote to memory of 956 2800 taskeng.exe 39 PID 2800 wrote to memory of 956 2800 taskeng.exe 39 PID 2800 wrote to memory of 956 2800 taskeng.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe"C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2424
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD2D7D5C-AB79-4F96-80A0-BFA4E6AC2EB1} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe2⤵
- Executes dropped EXE
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe2⤵
- Executes dropped EXE
PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5a92aae607bde28707e1d8d1a6b4c57bd
SHA11d2396b52db0c6b9f75991ee7245348c2c46a072
SHA2565d0947ea515b7aabb8f0bd8dfdb4c69c7e22d483c3f9e679c73b0e7e980a6170
SHA512262e38e0df1549822764ab091558697feed238193836f551b4fde3a63e7fc0db83b9b8f34d30c9d29152cc8168ceda31d180b13bb8791f0570f0266fd44d1051
-
Filesize
212KB
MD5f57c2b72ee75c357a12ce03a08be95b8
SHA1c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249
SHA256914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2
SHA51259123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da